Information Security Analyst: How to Get Started in This Growing IT Career

Data is one of the most important commodities for modern business. That’s why information security (infosec) professionals are in such high demand; infosec professionals keep that valuable commodity safe.

Information security analysts are on the front lines of data protection and one of the more common infosec job titles. In a sense, an information security analyst is the trained security guard of computer systems.

In this article, we’ll take a look at the ins and outs of an IT career as an information security analyst. We’ll also share important 2020 updates to popular information security certifications including Cisco’s CCNA certification.

Information security analysts: Projected job growth and salary

The Bureau of Labor Statistics projects that information security analyst jobs will grow by 32% from 2018–2028; the average growth rate for all jobs is around 5%. An experienced information security analyst could see salaries of $116,000 annually, according to Glassdoor, while the median annual base pay is around $76,000.

Infosec professionals have skills transferable to nearly any industry. However, you may find even higher demand in healthcare, banking & financial services, and defense sectors. Because concerns about cybersecurity are growing and technology is advancing so rapidly, US News ranked information security analyst as the fifth-best technology job available.

What does an information security analyst do?

Most of us are familiar with the basics of computer security. We might use facial recognition to unlock our phones or thumbprint biometrics to access certain apps. Our laptops require admin passwords. Our email and banking accounts require multi-factor authentication (MFA) when logging in. 

The reason for these practices? To protect the personal information on our devices so that our identities don’t get stolen and our data doesn’t get hacked. Infosec professionals take these practices to the next level. They work towards the same goals with more advanced techniques and for organizations instead of individuals.

The analyst’s job is to monitor the data, networks, and individual computer systems within an organization to ensure information is secure. They must have the knowledge to prevent sensitive information from leaking and to remediate issues if there is a breach. Crafting and enforcing proactive security measures that avoid and block cyberattacks is also an important part of their work. This means working with tools and appliances like firewalls, antivirus, intrusion prevention systems (IPS), port scanners, vulnerability scanners, and packet sniffers.

An analyst might also conduct penetration testing on web-based applications, networks, and computers. The testing is intended to identify any imminent system threats that can be eliminated before they become bigger problems. In addition to proactive methods of blocking hackers, reverse engineering software to identify vulnerabilities is also a valuable skill. Analyzing how parts of the system work better prepares an infosec analyst for detecting malware and patching bugs.

General tasks might include analyzing metrics to find and eliminate suspicious network activity, training employees, and generating reports for business managers and IT administrators on how well the security policies are working.

Other information security analyst responsibilities include:

• Risk assessment
• Vulnerability assessment
• Creating, updating, and/or implementing security policies
• Creating, updating, and/or implementing incident response plans
• Root cause analysis of data breaches and security incidents
• Conducting security audits

Information security analyst vs. other IT roles

So, how does an information security analyst differ from other IT roles? Generally, these IT positions can be differentiated by seniority level, typical tasks, and area of focus. For example, an information security analyst isn’t the same as a security administrator. Generally, an information security analyst focuses on policy and analysis while a security administrator focuses more on hands-on implementation and changes. Another example: security roles with “engineer” in the title tend to be higher in seniority and deal with the more complex, organization-wide issues.

What skills does an information security analyst need?

Technical skills relevant to a career as an information security analyst include a sound understanding of computer systems, networking, encryption, and security standards and best practices. While these hard skills are crucial, it’s also important to foster soft skills to set you apart from the competition.

As with many jobs, having strong communication skills will help you collaborate with managers, other analysts, and non-technical coworkers. Because this role may interface with both technical and non-technical roles, you’ll want to demonstrate an ability to communicate problems and solutions to both audiences — those who know the technical details behind the issues you’re presenting and those who don’t.

Additionally, critical thinking is a must-have skill. Not only will you need to analyze systems and whether or not security measures are working, but you’ll also need a critical eye for weak areas and to detect threats before they become full-blown attacks.

What education is required for an information security analyst?

Getting a bachelor’s degree in a field like computer science or information technology is the typical path for nabbing an entry-level information security position, according to the Bureau of Labor Statistics. However, many organizations are finally recognizing that relevant professional experience is just as important, if not more so than a degree.

Relevant experience may include working as a database administrator, a software engineer, or an information systems manager. Potential employers will be looking for working knowledge of how computer systems and data networks work, and your ability to support or secure them.

Depending on where you’ve gotten your experience, you could tailor your job search for a better chance of getting hired. For example, suppose your previous employment was as a network analyst. In that case, a move into a role focusing on network security rather than database security may make sense.

Additionally, IT certifications can go a long way in helping land an infosec job. Major network vendors and certification bodies like Cisco, Juniper, and CompTIA offer security-focused certifications to help with career progression.

With the right education and experience, you can go further on the infosec career path. The information security analyst role doesn’t have to be where you stop. You could go on to become a computer and information systems manager or a chief security officer.

CCNA and other information security certifications

The right certification can help you stand out to employers and further refine your skill set. Since Cisco’s certifications, CCNA (Cisco Certified Network Associate) and CCIE (Cisco Certified Internetwork Expert) are a gold standard in network certifications, it makes sense that they have value in the domain of network security as well.

For a long time, the CCNA security was a go-to certification for learners looking to strengthen their infosec skill set and resume. However, beginning February 24, 2020, Cisco revamped their entire certification offering. The CCNA Security certification is no longer active. Replacing the CCNA Security and other CCNA specializations is a single CCNA certification and exam. The reason for this change is that learners at an associate-level need a broader set of skills and can specialize in targeted skills at the professional-level certifications.

Today, the CCNP (Cisco Certified Network Professional) Security certification is where security specializations begin with Cisco. In addition to the core CCNP Security exam (350-701 SCOR) you can choose from one of six concentrations including those related to the Cisco Firepower Next-Generation IPS, automation for security solutions, Virtual Private Networks (VPNs), email security, web security, and Cisco Identity Services Engine.

What if you’re not quite at the professional level yet? Cisco states candidates for the CCNP often have three to five years of experience implementing security solutions. If you’re not ready for the CCNP, the CCNA is an obvious first step. However, for a more security-centric certification, consider Cisco’s new CyberOps Associate, which has no formal prerequisites. Alternatively, CompTIA’s Security+ certification offers a solid vendor-neutral option if you’d prefer not to focus on Cisco.

If you are at the professional level but want to go a non-Cisco route, consider the CISSP (Certified Information Systems Security Professional) certification. The CISSP is a well-known certification from ISC², an international nonprofit focused on infosec. According to ISC², the CISSP makes sense for security practitioners in a variety of roles, including security analysts. The certification program focuses on cybersecurity program implementation, design, and management.

Landing a role as an information security analyst takes the right mix of education, skills, experience, and professional networking. The right certifications can go a long way towards helping provide relevant education and validate relevant skills. Cisco’s CCNP Security, CompTIA’s Security+, and CISSP are three popular certifications that can help do just that. If you’re looking to learn more about information security, take a look at our library of CCNP Security, Security+ and CISSP courses.